ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: List of Administrative Accounts in Active Directory - Orphaned AdminSDHolder Objects, AdminCount and SDPROP


Newbie

Posts: 3
Date: Oct 5, 2013
List of Administrative Accounts in Active Directory - Orphaned AdminSDHolder Objects, AdminCount and SDPROP
Permalink  
 


Hello,

We were trying to enumerate the list of all administrative accounts in Active Directory, and were advised to do so based on the value of the adminCount attribute on user objects, as this is widely considered to be the most efficient way to enumerate the list of administrative accounts in Active Directory.

The problem is that in the list of administrative accounts retrieved by using admincount, there are some users who should not be on that list, but still show up. We know that these users were admins in the past, but we had since removed them, so we were a little confused to see them on the list.

Upon doing some research, we learnt that there is apparently a bug in Active Directory wherein the values of the admincount attribute are not updated on user accounts once they are no longer administrators.

We also came across something known as Orphaned AdminSDHolder Objects, but it was no very clear to us as to what it is. Apparently it has something to do with a process called SDPROP.

I would appreciate it if someone could help us better understand this in simple terms.

Danke,

- Gunter



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me